httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew Bachmann <mbachm...@google.com>
Subject Re: [users@httpd] wrong certs
Date Thu, 24 Oct 2013 12:16:45 GMT
I am not using name based virtual hosts, so there is no SNI here.


On Thu, Oct 24, 2013 at 6:52 AM, Jan Vávra <vavra@602.cz> wrote:

>  This is not a bug but a SNI feature (
> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI).
> Check if you have not defined
>   NameVirtualHost *:424
>   NameVirtualHost *:444
> Jan.
>
>
>
>  Try your same config but use A for the ServerName in both VirtualHost
> sections.  Based on what I've seen, you should then get 1.crt from either
> port, and never get 2.crt, which seems like a bug.
>
>
> On Wed, Oct 23, 2013 at 3:14 AM, Jan Vávra <vavra@602.cz> wrote:
>
>>  Hello,
>>  it is obvious you are using port based virtual host. My question was for
>> assuring you have configured basics well.
>>  So I suppose you have:
>>
>>
>> Listen *:424 https
>> <VirtualHost *:424>
>> ServerName A
>> SSLCertificateFile 1.crt
>>  *SSLCertificateKeyFile 1.key*
>>
>> #and probably also
>> SSLCertificateChainFile chain.crt
>>
>> </VirtualHost>
>>
>>
>> I have made a test and it works fine.
>> I do not use wildcards, I directly specify the IP address.
>>
>> Listen 424 https
>> Listen 444 https
>> <VirtualHost 192.168.1.211:424>
>>  ServerName A
>>  SSLCertificateFile 1.crt
>>  SSLCertificateKeyFile 1.key
>> </VirtualHost>
>>
>> <VirtualHost 192.168.1.211:444>
>>  ServerName B
>>  SSLCertificateFile 2.crt
>>  SSLCertificateKeyFile 2.key
>> </VirtualHost>
>>
>> and in my hosts file there are recors
>> 192.168.1.211 A
>> 192.168.1.211 B
>>
>> Try to call httpd -S. In my case it shows
>> VirtualHost configuration:
>> ....
>> 192.168.1.211:424      A (1.conf)
>> 192.168.1.211:444      B (2.conf)
>>
>> For A and B I use some real names eg. www.mycompany1.cz,
>> www.mycompany2.cz.
>>
>> Do you even know about name based virtual https host?
>> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>> Most clients support this and I use it in production.
>>
>> Jan
>>
>>   The certificates are specified in port based virtual hosts, there is
>> no NameVirtualHost here.  So I would expect the specified certificate to be
>> served on the corresponding port no matter what host header was passed.
>>
>>
>> On Tue, Oct 22, 2013 at 4:50 PM, Jan Vávra <vavra@602.cz> wrote:
>>
>>> Hello.
>>>  For sure have you not forgotten specifying option SSLCertificateKeyFile
>>>  ?
>>>  What is the url you are using?
>>>  If you use https://localost:424 instead of https://a:424, you can get
>>> weird results.
>>>
>>>  I can also try it, if your problem persists. My last several years is
>>> full of creating and using certificates ;-)
>>>
>>>  Jan.
>>>
>>>
>>>  I two virtual hosts on different ports specify different certificate
>>>> files, but use the same ServerName, both ports use the same certificate.
>>>>  Is this expected behavior?
>>>>
>>>>
>>>> With this config:
>>>>
>>>> Listen *:424 https
>>>> <VirtualHost *:424>
>>>> ServerName A
>>>> SSLCertificateFile 1.crt
>>>> </VirtualHost>
>>>>
>>>> Listen *:444 https
>>>> <VirtualHost *:444>
>>>> ServerName A
>>>> SSLCertificateFile 2.crt
>>>> </VirtualHost>
>>>>
>>>> connecting to either 424 or 444, I get cert 1.
>>>>
>>>> With this config:
>>>>
>>>> Listen *:424 https
>>>> <VirtualHost *:424>
>>>> ServerName A
>>>> SSLCertificateFile 1.crt
>>>> </VirtualHost>
>>>>
>>>> Listen *:444 https
>>>> <VirtualHost *:444>
>>>> ServerName B
>>>> SSLCertificateFile 2.crt
>>>> </VirtualHost>
>>>>
>>>> connecting to 424 gets me cert 1, and connecting to 444 gets me cert 2.
>>>>
>>>>
>>>>
>>>
>>>  ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>
>
>

Mime
View raw message